Site icon API Security Blog

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)

Last week, there were 82 vulnerabilities disclosed in 59 WordPress Plugins and 11 WordPress themes, along with 6 in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

_[Click here to sign-up for our mailing list]() to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. _

* * *

### New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our [Premium](), [Care](), and [Response]() customers last week:

* [MStore API <= 3.9.2 – Multiple Authentication Bypass]()
* [WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 – Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change]()
* [TheGem < 5.8.1.1 – Missing Authorization]()
* [BP Social Connect <= 1.5 – Authentication Bypass]()
* WAF-RULE-595 – Data redacted while we work with the developer to ensure this vulnerability gets patched.
* WAF-RULE-596 – Data redacted while we work with the developer to ensure this vulnerability gets patched.
* [Woodmart Core <= 1.0.36 – Authentication Bypass to Privilege Escalation]()

Wordfence [Premium](), [Care](), and [Response]() customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

* * *

### Total Unpatched & Patched Vulnerabilities Last Week

**Patch Status** | **Number of Vulnerabilities**
—|—
Unpatched | 15
Patched | 67

* * *

### Total Vulnerabilities by CVSS Severity Last Week

**Severity Rating** | **Number of Vulnerabilities**
—|—
Low Severity | 3
Medium Severity | 68
High Severity | 8
Critical Severity | 3

* * *

### Total Vulnerabilities by CWE Type Last Week

**Vulnerability Type by CWE** | **Number of Vulnerabilities**
—|—
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 35
Cross-Site Request Forgery (CSRF) | 17
Missing Authorization | 15
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3
Authentication Bypass Using an Alternate Path or Channel | 3
Authorization Bypass Through User-Controlled Key | 2
Acceptance of Extraneous Untrusted Data With Trusted Data | 2
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 1
Server-Side Request Forgery (SSRF) | 1
Improper Authentication | 1
Deserialization of Untrusted Data | 1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 1

* * *

### Researchers That Contributed to WordPress Security Last Week

**Researcher Name** | **Number of Vulnerabilities**
—|—
[Rafie Muhammad]() | 16
[Lana Codes]()
(Wordfence Vulnerability Researcher) | 12
[Marco Wotschka]()
(Wordfence Vulnerability Researcher) | 10
[Erwan LR]() | 6
[Mika]() | 4
[Dave Jong]() | 3
[Emili Castells]() | 2
[Liam Gladdy]() | 2
[Prasanna V Balaji]() | 2
[LEE SE HYOUNG]() | 2
[yuyudhn]() | 2
[Le Ngoc Anh]() | 1
[John Blackbourn]() | 1
[LOURCODE]() | 1
[Jonas Höbenreich]() | 1
[Rio Darmawan]() | 1
[WPScanTeam]() | 1
[Muhammad Daffa]() | 1
[Nguyen Xuan Chien]() | 1
[konagash]() | 1
[thiennv]() | 1
[Jakub Zoczek]() | 1
[Nithissh S]() | 1
[Ramuel Gall]()
(Wordfence Vulnerability Researcher) | 1
[Matt Rusnak]()
(Wordfence Vulnerability Researcher) | 1
[Pavitra Tiwari]() | 1

_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and [obtain a CVE ID through this form](). Responsibly disclosing your vulnerability discoveries to us will also get your name added on the [Wordfence Intelligence leaderboard]() along with being mentioned in our weekly vulnerability report.

* * *

### WordPress Plugins with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable | [ai-engine]()
AutomateWoo | [automatewoo]()
BP Social Connect | [bp-social-connect]()
Baidu Tongji generator | [baidu-tongji-generator]()
Contact Form by Supsystic | [contact-form-by-supsystic]()
ConvertKit – Email Marketing, Newsletter, Subscribers and Landing Pages | [convertkit]()
Cookie Monster | [cookiemonster]()
Custom 404 Pro | [custom-404-pro]()
Customize WordPress Emails and Alerts – Better Notifications for WP | [bnfw]()
Drop Shadow Boxes | [drop-shadow-boxes]()
Easing Slider | [easing-slider]()
Easy Forms for Mailchimp | [yikes-inc-easy-mailchimp-extender]()
Essential Addons for Elementor Pro | [essential-addons-elementor]()
File Away | [file-away]()
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty | [chaty]()
Jazz Popups | [jazz-popups]()
MStore API | [mstore-api]()
Multiple Page Generator Plugin – MPG | [multiple-pages-generator-by-porthas]()
OTP Login Woocommerce & Gravity Forms | [mobile-login-woocommerce]()
Performance Lab | [performance-lab]()
Photo Gallery by Ays – Responsive Image Gallery | [gallery-photo-gallery]()
PixelYourSite Pro – Your smart PIXEL (TAG) Manager | [pixelyoursite-pro]()
PixelYourSite – Your smart PIXEL (TAG) Manager | [pixelyoursite]()
Predictive Search | [predictive-search]()
Predictive Search for WooCommerce | [woocommerce-predictive-search]()
Quiz Maker | [quiz-maker]()
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | [custom-registration-form-builder-with-submission-manager]()
Ricerca – advanced search | [ricerca-smart-search]()
SEO Change Monitor – Track Website Changes | [seo-change-monitor]()
Scripts n Styles | [scripts-n-styles]()
Simple Page Ordering | [simple-page-ordering]()
Smart App Banner | [smart-app-banner]()
Stop Referrer Spam | [stop-referrer-spam]()
Stop Spammers Security | Block Spam Users, Comments, Forms | [stop-spammer-registrations-plugin]()
Survey Maker – Best WordPress Survey Plugin | [survey-maker]()
Ultimate Dashboard – Custom WordPress Dashboard | [ultimate-dashboard]()
UpdraftPlus WordPress Backup Plugin | [updraftplus]()
Video Gallery | [video-slider-with-thumbnails]()
WP Activity Log | [wp-security-audit-log]()
WP Activity Log Premium | [wp-security-audit-log-premium]()
WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc | [wp-sms]()
WP htaccess Control | [wp-htaccess-control]()
Waiting: One-click countdowns | [waiting]()
WeSecur Security – Antivirus, Malware Scanner and Protection for your WordPress | [wesecur-security]()
WishSuite – Wishlist for WooCommerce | [wishsuite]()
WooCommerce Bookings | [woocommerce-bookings]()
WooCommerce Brands | [woocommerce-brands]()
WooCommerce Composite Products | [woocommerce-composite-products]()
WooCommerce Pre-Orders | [woocommerce-pre-orders]()
WooCommerce Product Add-ons | [woocommerce-product-addons]()
WooCommerce Ship to Multiple Addresses | [woocommerce-shipping-multiple-addresses]()
WooDiscuz – WooCommerce Comments | [woodiscuz-woocommerce-comments]()
WordPress | [wordpress]()
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg | [groundhogg]()
Zotpress | [zotpress]()
nuajik | [nuajik-cdn]()
reCAPTCHA and Cloudflare Turnstile For All Pages, to Block Spam and Hackers Attack, Block Visitors from China | [recaptcha-for-all]()
video carousel slider with lightbox | [wp-responsive-video-gallery-with-lightbox]()
woocommerce-product-recommendations | [woocommerce-product-recommendations]()

* * *

### WordPress Themes with Reported Vulnerabilities Last Week

**Software Name** | **Software Slug**
—|—
Appzend | [appzend]()
BuzzStore | [buzzstore]()
Craft Blog | [craft-blog]()
Fitness Park | [fitness-park]()
Kathmag | [kathmag]()
Kingcabs | [kingcabs]()
Medical Heed | [medical-heed]()
MetroStore | [metrostore]()
Online eStore | [online-estore]()
SparkleStore | [sparklestore]()
SpiderMag | [spidermag]()

* * *

### Vulnerability Details

#### [BP Social Connect <= 1.5 – Authentication Bypass]()

**Affected Software**: [BP Social Connect]()
**CVE ID**: CVE-2023-2704
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [RegistrationMagic <= 5.2.1.0 – Authentication Bypass]()

**Affected Software**: [RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login]()
**CVE ID**: CVE-2023-2499
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [MStore API <= 3.9.0 – Authentication Bypass]()

**Affected Software**: [MStore API]()
**CVE ID**: CVE-2023-2733
**CVSS Score**: 9.8 (Critical)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [SEO Change Monitor <= 1.2 – Authenticated (Subscriber+) SQL Injection]()

**Affected Software**: [SEO Change Monitor – Track Website Changes]()
**CVE ID**: CVE-2023-33209
**CVSS Score**: 8.8 (High)
**Researcher/s**: [Nithissh S]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [OTP Login Woocommerce & Gravity Forms <= 2.2 – Authentication Bypass to Privilege Escalation]()

**Affected Software**: [OTP Login Woocommerce & Gravity Forms]()
**CVE ID**: CVE-2023-2706
**CVSS Score**: 8.1 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Groundhogg <= 2.7.9.8 – Cross-Site Request Forgery to Privilege Escalation]()

**Affected Software**: [WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg]()
**CVE ID**: CVE-2023-2736
**CVSS Score**: 7.5 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Waiting: One-click countdowns <= 0.6.2 – Missing Authorization Checks leading to Authenticated (Subscriber+) Stored Cross-Site Scripting]()

**Affected Software**: [Waiting: One-click countdowns]()
**CVE ID**: CVE-2023-2757
**CVSS Score**: 7.4 (High)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Essential Addons for Elementor Pro <= 5.4.8 – Unauthenticated Server-Side Request Forgery]()

**Affected Software**: [Essential Addons for Elementor Pro]()
**CVE ID**: CVE-2023-32245
**CVSS Score**: 7.3 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Multiple Page Generator Plugin <= 3.3.17 – Authenticated (Administrator+) SQL Injection]()

**Affected Software**: [Multiple Page Generator Plugin – MPG]()
**CVE ID**: CVE-2023-2607
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Pre-Orders <= 1.9.0 – Unauthenticated Cross-Site Scripting]()

**Affected Software**: [WooCommerce Pre-Orders]()
**CVE ID**: CVE-2023-32802
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Product Add-ons <= 6.1.3 – Authenticated (Shop Manager+) PHP Object Injection]()

**Affected Software**: [WooCommerce Product Add-ons]()
**CVE ID**: CVE-2023-32795
**CVSS Score**: 7.2 (High)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Predictive Search <= 1.2.2 – Missing Authorization]()

**Affected Software**: [Predictive Search]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WordPress Core < 6.2.2 – Shortcode Execution in User Generated Content]()

**Affected Software**: [WordPress]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Liam Gladdy]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WordPress Core < 6.2.1 – Shortcode Execution in User Generated Content]()

**Affected Software**: [WordPress]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: [Liam Gladdy]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Predictive Search <= 1.2.2 – Missing Authorization]()

**Affected Software**: [Predictive Search]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Predictive Search <= 1.2.2 – Missing Authorization]()

**Affected Software**: [Predictive Search]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.5 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [File Away <= 3.9.9.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [File Away]()
**CVE ID**: CVE-2023-0431
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Lana Codes]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Drop Shadow Boxes <= 1.7.10 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**Affected Software**: [Drop Shadow Boxes]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WordPress Core < 6.2.1 – Insufficient Sanitization of Block Attributes]()

**Affected Software**: [WordPress]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: Unknown
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Brands <= 1.6.45 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode]()

**Affected Software**: [WooCommerce Brands]()
**CVE ID**: CVE-2023-32746
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WordPress Core < 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Embed Discovery]()

**Affected Software**: [WordPress]()
**CVE ID**: CVE Unknown
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Jakub Zoczek]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Pre-Orders <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting]()

**Affected Software**: [WooCommerce Pre-Orders]()
**CVE ID**: CVE-2023-32793
**CVSS Score**: 6.4 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WP SMS <= 6.1.4 – Reflected Cross-Site Scripting via ‘delete_mobile’]()

**Affected Software**: [WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc]()
**CVE ID**: CVE-2023-32742
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Le Ngoc Anh]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Survey Maker <= 3.4.6 – Reflected Cross-Site Scripting via ‘page’ parameter]()

**Affected Software**: [Survey Maker – Best WordPress Survey Plugin]()
**CVE ID**: CVE-2023-2572
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [WooCommerce Composite Products <= 8.7.5 – Reflected Cross-Site Scripting]()

**Affected Software**: [WooCommerce Composite Products]()
**CVE ID**: CVE-2023-32801
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Chaty <= 3.0.9 – Reflected Cross-Site Scripting]()

**Affected Software**: [Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty]()
**CVE ID**: CVE-2023-25019
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Easy Forms for Mailchimp <= 6.8.8 – Unauthenticated Cross-Site Scripting]()

**Affected Software**: [Easy Forms for Mailchimp]()
**CVE ID**: CVE-2023-23900
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [UpdraftPlus <= 1.23.3 – Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage]()

**Affected Software**: [UpdraftPlus WordPress Backup Plugin]()
**CVE ID**: CVE-2023-32960
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Custom 404 Pro <= 3.8.1 – Reflected Cross-Site Scripting via ‘page’]()

**Affected Software**: [Custom 404 Pro]()
**CVE ID**: CVE-2023-32740
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [LEE SE HYOUNG]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Stop Spammers Security <= 2022.6 – Reflected Cross-Site Scripting]()

**Affected Software**: [Stop Spammers Security | Block Spam Users, Comments, Forms]()
**CVE ID**: CVE-2023-2489
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Video Gallery <= 1.0.10 – Reflected Cross-Site Scripting]()

**Affected Software**: [Video Gallery]()
**CVE ID**: CVE-2023-2708
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Marco Wotschka](), [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Jazz Popups <= 1.8.7 – Reflected Cross-Site Scripting via ‘wpjazzpopup_switchonoff’]()

**Affected Software**: [Jazz Popups]()
**CVE ID**: CVE-2023-32965
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [thiennv]()
**Patch Status**: Unpatched
**Vulnerability Details:**

* * *

#### [Photo Gallery by Ays <= 5.1.6 – Reflected Cross-Site Scripting]()

**Affected Software**: [Photo Gallery by Ays – Responsive Image Gallery]()
**CVE ID**: CVE-2023-2568
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [ConvertKit <= 2.2.0 – Reflected Cross-Site Scripting]()

**Affected Software**: [ConvertKit – Email Marketing, Newsletter, Subscribers and Landing Pages]()
**CVE ID**: CVE-2023-2337
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### ()

**Affected Software**: ()
**CVE ID**: CVE-2023-2710
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Marco Wotschka](), [yuyudhn]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Quiz Maker <= 6.4.2.6 – Reflected Cross-Site Scripting]()

**Affected Software**: [Quiz Maker]()
**CVE ID**: CVE-2023-2571
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Erwan LR]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Essential Addons for Elementor Pro <= 5.4.8 – Reflected Cross-Site Scripting]()

**Affected Software**: [Essential Addons for Elementor Pro]()
**CVE ID**: CVE-2023-32241
**CVSS Score**: 6.1 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [AutomateWoo <= 5.7.1 – Authenticated (Shop manager+) SQL Injection]()

**Affected Software**: [AutomateWoo]()
**CVE ID**: CVE-2023-32743
**CVSS Score**: 5.5 (Medium)
**Researcher/s**: [Rafie Muhammad]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Contact Form by Supsystic <= 1.7.24 – Cross-Site Request Forgery via AJAX action]()

**Affected Software**: [Contact Form by Supsystic]()
**CVE ID**: CVE-2023-2528
**CVSS Score**: 5.4 (Medium)
**Researcher/s**: [Marco Wotschka]()
**Patch Status**: Patched
**Vulnerability Details:**

* * *

#### [Groundhogg <= 2.7.9.8 – Missing Authorization to Non-Arbitrary File Upload](Read More

Exit mobile version